Re: Running site-to-site vpn & EasyVPN over same T-1

ldonovan · ‎02-28-2005

Hello,

We have a 3825 router at a remote facility with one Internet T-1 connected to it. The 3825 has multiple site-to-site vpn's running over the T-1, but now we also need to configure EasyVPN so that our Engineers can vpn into the remote site (to manage the servers behind the router). From what I can tell so far, there is no way to have both site-to-site and EasyVPN running over the same interface, since you can only apply one crypto map at a time.

Does anyone know how to accomplish this?

Sincerely,

-Laura

slmansfield · ‎02-28-2005

You can create multiple instances within your crypto map, indicated by instance numbers. Here is an example of setting up a router with LAN2LAN and EZVPN. The crypto map "mymap" is applied to the outside interface. Mymap instance 10 is for EZVPN. Mymap instance 20 is for LAN2LAN.

crypto isakmp policy 3

encr aes 256

authentication pre-share

group 2

!

crypto isakmp key mykey address 1.2.3.4

crypto isakmp keepalive 30 10

!

crypto isakmp client configuration group 3000client

key cisco123

pool ippool

!

crypto ipsec transform-set TRANS esp-aes 256 esp-sha-hmac

!

crypto dynamic-map DYNO 10

set transform-set TRANS

!

crypto map mymap client authentication list userauthen

crypto map mymap isakmp authorization list groupauthor

crypto map mymap client configuration address respond

crypto map mymap 10 ipsec-isakmp dynamic DYNO

crypto map mymap 20 ipsec-isakmp

set peer 1.2.3.4

set transform-set TRANS

match address 101

ldonovan · ‎03-04-2005

Thank you so much - that worked! I had been using different map names for the Lan2Lan and EasyVPN. I didn't realize that the line:

crypto map mymap 10 ipsec-isakmp dynamic DYNO

Was how I could order it onto an existing map.

Thanks!

-Laura